Additional Materials:

Contact:

While the use of Social Security numbers (SSN) can be very beneficial to the public sector, SSNs are also a key piece of information used for committing identity crimes. The widespread use of SSNs by both the public and private sectors and their display in public records have raised concern over how SSNs might be misused and how they should be protected. In light of this concern, GAO was asked to examine (1) the extent to which SSNs are visible in records made available to the public, (2) the reasons for which governments collect SSNs in records that display them to the public, and (3) the formats in which these records are stored and ways that the public gains access to them. As well as looking at public records, GAO also examined the practices of several federal agencies regarding the display of entire nine-digit SSNs on health insurance and other identification cards issued under their authority.

Social Security numbers appear in any number of records exposed to public view almost everywhere in the nation, primarily at the state and local levels of government. State agencies in 41 states and the District of Columbia reported visible SSNs in at least one type of record and a few states have them in as many as 10 or more different records. SSNs are most often to be found in state and local court records and in local property ownership records, but they are also scattered throughout a variety of other government records. In general, federal agency display of SSNs in public records is prohibited under the Privacy Act of 1974. While the act does not apply to the federal courts, they have taken action in recent years to prevent public access. With regard to the SSNs maintained in public records, various state and local officials commonly reported needing them for identity verification. A few, however, said they had no use for the SSN, but that documents submitted to their offices often contained them. States also commonly reported using the SSN to facilitate the matching of information from one record to another. The federal courts largely collect SSNs when required by law to do so; however, due to privacy concerns, SSNs are not in documents that are available electronically to the public. Public records with SSNs are stored in a multiplicity of formats, but public access to them is most often limited to the inspection of individual paper copies on site or via mail by request. Few state agencies make records with SSNs available on the Internet; however, 15 to 28 percent of the nation's 3,141 counties do place them on the Internet and this could affect millions of people. Overall, GAO found that the risk of exposure for SSNs in public records at the state and local levels is highly variable and difficult for any one individual to anticipate or prevent. Another form of SSN exposure results from a government practice that does not involve public records per se. GAO found that SSNs are displayed on cards issued to millions of individuals under the authority of federal agencies for identity purposes and health benefits. This involves approximately 42 million Medicare cards, 8 million Department of Defense identification cards, as well as some insurance cards, and 7 million Veterans Affairs identification cards, which display the full nine-digit SSN. While some of these agencies are taking steps to remove the SSNs, there is no governmentwide federal policy that prohibits their display. Although we did not examine this phenomenon across all federal programs, it is clear that the lack of a broad, uniform policy allows for unnecessary exposure of personal Social Security numbers.

Recommendation for Executive Action

Status: Closed - Implemented

Comments: On May 22, 2007, OMB issued a memorandum directing the heads of executive departments and agencies to take a number of actions to safeguard against and respond to the breach of personally identifiable information. These actions included (1) reviewing current holdings of all personally identifiable information and ensure, to the maximum extent practicable, such holdings are accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the proper performance of a documented agency function, and (2) reviewing the use of social security numbers in agency systems and programs to identify instances in which collection or use of the social security number is superfluous. Also, within 120 days from the date of the memo, agencies were required to establish a plan to eliminate the unnecessary collection and use of social security numbers within eighteen months. In addition, the memo required that agencies participate in government-wide efforts to explore alternatives to use of Social Security Numbers as a personal identifier for both Federal employees and in Federal programs.

Recommendation: To address this potential vulnerability, the Director, Office of Management and Budget, should identify all those federal activities that require or engage in the display of nine-digit SSNs on health insurance, identification, or any other cards issued to federal government personnel or program beneficiaries, and devise a governmentwide policy to ensure a consistent approach to this type of display.

Agency Affected: Executive Office of the President: Office of Management and Budget